100,000 Passports and Selfies of UK Visa Applicants Exposed on Unofficial Site
UK Visa Portal, a website that claims to be a channel for obtaining a visa to enter the UK, is publicly exposing online at least 100,000 documents including passports and selfies of its customers. The breach is still open at the time of publication, and the company, upon being notified of the issue, responded through legal representatives and the press office rather than fixing the exposure.
It is important to emphasize from the outset that the site is not affiliated with the British government: it is one of several commercial services that intercept traffic from those seeking the official Electronic Travel Authorisation (ETA), charging significantly higher fees than those stipulated. The ETA requested through GOV.UK costs £20 from April 8, 2026; UK Visa Portal charges amounts in the range of 80-90 euros, according to public reviews from its customers. Several individuals have stated that they believed, during the payment process, that they were on the official channel.
Legal Representatives Respond, Patching Not Forthcoming
The exposure was identified by TechCrunch following an anonymous report, and verified by directly contacting some individuals whose documents were found accessible: all confirmed the authenticity of the data.
When the publication attempted to notify the company to activate a responsible disclosure protocol, there was no channel available on the site for reporting security issues, and no name or contact for management is publicly listed. The only accessible email address is that of generic customer support, typically unsuitable for sharing specific details of a sensitive vulnerability. Upon requesting direct contact with management, the company's legal representatives and press office responded. At the time of publication, the breach remains active.
TechCrunch chose not to make public the technical details of the exposure to avoid amplifying the risk for those involved until the situation is resolved. The sequence of reporting, verification, attempts to notify, and lack of response is a problem that responsible disclosure is able to address when the other party cooperates, but that becomes blocked when the other party chooses not to.
Exposed Identity Documents: What Are the Risks for Those Affected?
The nature of the data involved makes the incident deserving of attention beyond the numbers: a password associated with a photo of the holder’s face is the basic package used in any remote identity verification procedures, from opening an online account to signing up for financial services. This combination allows impersonation of the holder in onboarding flows that rely specifically on that type of documentation.
Last April, we covered the case of the French portal ANTS, where scans of passports and identity cards were not found among the compromised information; the UK Visa Portal case appears more serious on this specific front.
For those traveling to the UK from visa-exempt countries, the only official channel for obtaining the ETA remains GOV.UK, with its official app, a fee of £20, and automatic response times in the range of a few minutes. Applications made through UK Visa Portal or similar intermediaries are not void, but those who provided their documents to these sites should consider the possibility that they may have already been exposed, monitoring accordingly for any identity theft attempts.